Review Summary: Double-Spend Counter Attacks: Threats of Retaliation in Proof-of-Work Systems

Review Summary
†Double-Spend Counter-Attacks: Threat of Retaliation in Proof-of-Work Systems. [PDF]
Daniel J. Moroz (Harvard University), Daniel J. Aronoff (MIT), Neha Narula (MIT Digital Currency Initiative), David C. Parkes (Harvard University)
(† Hot Topics accept, abstract & review summary to journal)

Paper summaries from the reviewers:
“The paper presents a novel economic consideration for double spend attacks, building on the prior research in the area. The theoretic considerations are well modelled, and the paper presents an empirical analysis to support many of the assumptions required by the presented model. Whether such an economic scenario is realistic is questionable, and there is certainly not enough empirical analysis in this paper to favour the theory described in the paper. The strong conclusion that double spending attacks are not rational given the model presented in the paper is perhaps too strong when we consider it within the overall system.”

“The paper presents an empirical investigation into actual double spends in 20 cryptocurrencies over a 3 month period (observing 2 double spend attacks) in addition to presenting a game theoretic analysis of the retaliation game. The paper presents a well researched history of economic considerations of double spend attacks and grounds its assumptions in real world data from a variety of cryptocurrency ecosystems. The theoretic considerations are well modelled, and the paper presents an empirical analysis to support many of the assumptions required by the presented model.”

“This paper deals with the question of why double spending attacks have been relatively rare in proof-of-work currency systems.  The authors propose the explanation that they may be intimidated by the fact that a victim could retaliate with a double spending attack on the attacker.  They model the situation in which attacker and victims trade attacks as a war of attrition, and show that it is a subgame perfect equilibrium for no attack to occur in the first place.”

Comments on the strength of the paper:
“The authors model a double-spend attack as a variant of a "war of attrition" where attacker and victim each progressively double-spend each other, the victim trying to undo the initial attack. Under some explicitly stated assumptions, they analyze this game in an attempt to understand the small number (zero) of 51% attacks on Bitcoin vs earlier theoretically-predicted estimates. Well written, well cited (including recent discussion in non-academic literature, e.g. on Medium), assumptions are explicitly stated. The mathematical model is straightforward.”

“The paper considers a problem that I believe has not been addressed before.  Although game theory has been applied to double spending before, it has not been applied to the explanation of  the paucity of double-spending attacks. The authors also shore up the theoretical results with empirical evidence and analysis. In particular, they perform their own monitoring of PoW chains to justify their claims that double spending attacks are rare. They also carefully justify their assumptions, and show what would happen if the assumption do not hold.”

Critiques & author responses:

Comment: The authors describe an "attack"/"counterattack" scenario; while they show empirical evidence of 51% attacks they do not show evidence of this dynamic occurring. The assumptions of the paper are not necessarily realistic (though there is discussion of this point near the end). The authors explicitly monitored 20 PoW blockchains for a period of 3 months, except for Ethereum and Ethereum Classic where it is computationally infeasible to do so. This is a reasonable, though limited, approach to determining network dynamics which by nature are not recorded on the blockchain.

Response: This is absolutely right, and is a comment that all of our reviewers made. It is true that we have not seen a 51% counter-attack implemented. We think this is likely due to the technical complexity, in today’s blockchain world, of monitoring the chain, and having hash-power at the ready to do the counter-attack. We have adjusted the paper to say that we do not intend the possibility of counter-attack to explain the sparsity of counter-attacks today. Instead, we propose the counter-attack as a defense strategy that we expect to see when the market matures, (in particular the hashrate market, which has become increasingly liquid over time).

Comment: “The empirical data is very interesting and the model is worthwhile and offers an interesting perspective on the incentives around 51% attacking. A few notes:

1. The claim is made that "no double-spend attacks have occurred on Bitcoin". The authors mean to say "no 51% attacks". The more general term "double-spend" also refers to defrauding zero-confirmation services, which happens all the time on Bitcoin (though to the best of my knowledge there is no public data about how much it occurs; this is even more embarrassing to the victims than 51% attacks are because it's entirely the victim's fault).

2. In section 2 p_block is defined as the "block reward", which is later clarified to mean the block subsidy, i.e. the 12.5 BTC per block. This should additionally include transaction fees, and the meaning of the term clarified where it is first introduced.

3. There is not much to be done about it, but I find the assumption that "the value of the currency will decrease in response to a 51% attack" implausible. The authors discuss this at length and I don't think it is fatal to the paper, though it does limit its applicability. Similarly I'm not sure that it's plausible that an exchange's reputation would be significantly damaged if it were victim to a deep reorg (say, >6 blocks) 51% attack.”

Response: We have added some explanation that our model is not absolutely reliant to these particular assumptions. Essentially what we need is that the net profit of doing an attack decreases (for at least the attacker, but more realistically for both players) and that the defender has some reason to hold out longer. This can be achieved by, eg, assuming that the price remains constant but the cost of attack rises over time due to the increasing cost of capital as amount of capital borrowed (to do the attacks) increases.

Comment: “The quality of data is likely to be imperfect for three reasons:

a) low-value low-hashpower coins have very few nodes (in some cases none at all) outside of exchanges and mining pools (in some cases there is only one pool)

b) running a single node results in a limited view of the network; in theory, a double spend could happen and the monitoring node would only see the final result rather than seeing the reorg happen. (Though because the authors are looking only for deep reorgs, this is not really a concern.)

c) Regarding Ethereum and Ethereum Classic, the authors use a 3rd party chain scanning service because they do not have the resources to validate the chain. In fact basically nobody has the resources to validate Ethereum and on several occasions they have had validation bugs that remained open for several months, advising users to use the "quick sync" to skip validation of the problematic parts of the chain. These issues, in conjunction with Ethereum's very fast blocks and complex reorg and tx validation logic (e.g. some transactions are valid conditional on the exact hash of Ethereum blocks; others rely on complex transaction ordering conditions), suggest that the authors' techniques are insufficient to draw conclusions about these chains.

It would be worthwhile for the authors to highlight these concerns in Appendix A, where they describe the data collection techniques. Having said this, because the actual data shows very deep reorgs - sometimes 40+ blocks - I think the signal overwhelms the noise of these problems and the authors' conclusions still hold, except possibly in the case of Ethereum.”

Comment: “The arguments made in this paper might have more weight if the empirical analysis had considered more chains over a longer period of time - while described as "extended period of time", 3 months is a fairly limited timescale for systems that have a lifespan measured in decades. Indeed, observing 2 such double spend attacks in a 3 month period slightly undermines one of the main claimed motivations of the article (the empirical sparsity of such attacks). This rate would seem to imply that double spends are more common that believed.”

Comment: “While I doubt that many attackers are currently considering the risks of a counter attack when considering a double spend, it is certainly an interesting idea that deserves the treatment in this paper - and I expect will become more relevant as the hashrate market matures. While I have some critiques of the empirical basis for the motivation and claims within this paper, I ultimately feel like the considered counter-attack argument is novel  and the treatment meets the bar for acceptance.”

Comment: “The game theoretic  analysis concludes that it is in the interests of the victim to retaliate when it is attacked.  But in that case I would expect such retaliation to occur in the case at least some of the double-spending attacks have been recorded.  The authors should attempt to account for this.”

Comment: “I would have liked to have seen some more discussion of the following questions:
1.  If it is in the best interests of the victim to retaliate, why doesn't any of the data show such a counter-attack happening?
2.  In your data all but 2 attacks result in thefts of under a million dollars, and their is only one that results in a theft of substantially more than a million.  How does this stack up against the amount of money stolen using other attacks? If it is substantially less, can you propose a reason for it? Moreover, if the expected profit is  substantially less than in other kinds of attacks, could that be another reason why double spending attacks are not more popular?”

Response: Thank you. We have added a paragraph at the end of the ’Empirical Results’ section with a comment as suggested. Certainly there have been many traditional computer security vulnerabilities leading to theft of cryptocurrency keys or extortion by ransomware. These are related to operational security rather than the incentive security of the underlying PoW system. The WSJ reports that over $1 Billion USD has been stolen by traditional means. However, these are a substantially different kind of attack that we do not generally address in this work. We are not aware of any other kinds of protocol-based incentive attacks that enable thefts of cryptocurrencies.

Comment: It would be helpful to include information about the frequency and profitability of other kinds of attacks.  How much rarer are double spending attacks than other attacks?

Response: We have added a paragraph at the end of ‘Empirical Results’ discussing the difference between double-spend and traditional attacks, including their frequency and quantity, and explaining why we do not consider traditional attacks in depth throughout the work.